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Two formal stochastic models are said to be bisimilar if their solutions as a stochastic process are 
probabilistically equivalent. Bisimilarity between two stochastic model formalisms means that the 
strengths of one stochastic model formalism can be used by the other stochastic model formalism. 
The aim of this paper is to explain bisimilarity relations between stochastic hybrid automata, stochas- 
tic differential equations on hybrid space and stochastic hybrid Petri nets. These bisimilarity relations 
make it possible to combine the formal verification power of automata with the analysis power of 
stochastic differential equations and the compositional specification power of Petri nets. The rela- 
tions and their combined strengths are illustrated for an air traffic example. 

1 Introduction 

Two formal stochastic models are said to be bisimilar if their solutions as a stochastic process (i.e. 
their executions) are probabilistically equivalent El [23]]. Bisimilarity relations between formal stochastic 
models are very useful to study since they allow one stochastic model to take advantage of the strengths of 
the other stochastic model. The aim of this paper is to show bisimulation relations between three different 
stochastic modelling formalisms: stochastic hybrid automata, stochastic differential equations on hybrid 
space, and stochastic hybrid Petri nets. These bisimulation relations make it possible to combine the 
formal verification power of automata with the analysis power of stochastic differential equations and 
the compositional specification power of Petri nets. 

For the stochastic automata formalism, we take the general stochastic hybrid system (GSHS) theoret- 
ical setting developed by [7]. A GSHS is a hybrid automaton defined on a hybrid state space. This hybrid 
state space consists of a countable set of discrete modes, and per discrete mode a Euclidean subset. Per 
discrete mode, a stochastic differential equation (SDE) is defined. Two additional GSHS elements are a 
jump rate function and a GSHS transition measure. The execution of these elements provides a stochastic 
process that follows the solution of the SDE connected to the initial discrete mode. After a time period, 
defined by the jump rate function, the process state may spontaneously jump to another mode, defined 
by the GSHS transition measure. A jump may also be forced if the process state hits the boundary of the 
Euclidean subset. The GSHS execution is referred to as general stochastic hybrid process (GSHP). One 
of the main strengths of the automata formalism is the availability of formal verification tools. 

For the hybrid stochastic differential equations formalism we take the hybrid stochastic differential 
equations (HSDE) theoretical setting developed in a series of complementary studies |[Q|2l[20l|2T]]. A 
HSDE consists of a sequence of SDEs on a hybrid state space, driven by a Poisson random measure. 
When the Poisson random measure generates a multivariate point, a spontaneous jump occurs. A jump 
may also be forced if the process state hits the boundary of a Euclidean subset. The HSDE solution 
process is referred to as general stochastic hybrid process (GSHP). In |[T6ll it is shown that whereas the 
GSHS formalism is at some points more general than HSDE (for GSHS the dimension of the Euclidean 
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subset may depend on the discrete mode; for HSDE this dimension is fixed), HSDE has the advantage of 
an established semi-martingale property and includes the coverage of jump-linear systems. 

For the stochastic hybrid Petri nets formalism, we take stochastically and dynamically coloured Petri 
nets (SDCPN) developed in a series of studies by |[T3l [T4l [T5Tl . A Petri net has places (circles), which 
model possible discrete states or conditions, and which may contain one or more tokens (dots), mod- 
elling which of these states are current. The places are connected by transitions (squares), which model 
state switches by removing input tokens and producing output tokens along arcs (arrows). In SDCPN, 
the tokens have Euclidean-valued colours that follow SDEs. Some of the transitions remove and pro- 
duce tokens spontaneously, other transitions are forced and occur when the colours of their input tokens 
reach the boundary of a Euclidean subset. The collection of token colours in all places forms a general 
stochastic hybrid process (GSHP). The specific strength of SDCPN is their compositional specification 
power, which makes available a hierarchical modelling approach that separates local modelling issues 
from global modelling issues. This is illustrated for a large distributed example in air traffic manage- 
ment fl7l . which covers many distributed agents each of which interacts in a dynamic way with the 
others. Other typical Petri net features are concurrency and synchronisation mechanism, hierarchical 
and modular construction, and natural expression of causal dependencies, in combination with graphical 
and equational representation. 

The aim of this paper is to illustrate the relations between SDCPN, GSHP, HSDE and GSHS which 
show that SDCPN, GSHS and HSDE are bisimilar. This means that if we take the elements of any one of 
these formalisms, we can construct the elements of another formalism in such a way that their associated 
GSHPs are probabilistically equivalent. Fig. [T] shows the relations between the formalisms, and the key 
tools available for each of them. 



'Compositional^ 
^specification. 



SDCPN 


[El] 


GSHP 







denotes bisimilarity 
denotes execution 




Figure 1: Relationship between SDCPN, GSHS, GSHP and HSDE, and their key properties and advan- 
tages. The [B] arrow is established in (T). The [BL] arrow is established in Q. The [El] arrows are 
established in 1 15]. The [E2] arrows are established in ifToll . 

With these relations, the properties and advantages of the various approaches come within reach 
of each other. The compositional specification power of SDCPN makes it relatively easy to develop 
a model for a complex system with multiple interactions. Subsequently, in the analysis stage three 
alternative approaches can be taken. The first is direct execution of SDCPN and evaluation through e.g. 
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Monte Carlo simulation. The second is mapping the SDCPN into a GSHS and evaluating its execution, 
with the advantages of connection to formal methods in automata theory and to optimal control theory 
|[6l . The third is mapping the SDCPN into HSDE and evaluating its solution, with the advantages of 
stochastic analysis for semi-martingales ifTOl fTTl . With the GSHP resulting from any of these three 
means, properties become available such as convergence of discretisation, existence of limits, existence 
of event probabilities, strong Markov properties, and reachability analysis f71l9l [T2ll . 

The organisation of this paper is as follows. Section [2] defines SDCPN and the related SDCPN 
process. Section [3] presents an example SDCPN model for a simple but illustrative air traffic situation. 
Section |4] defines GSHS and illustrates how the example SDCPN can be mapped to a bisimilar GSHS. 
Section [5] defines HSDE and illustrates how the example SDCPN can be mapped to a bisimilar HSDE. 
Section [6]gives conclusions. 

2 SDCPN 

This section outlines stochastically and dynamically coloured Petri net (SDCPN). For a more formal 
definition, we refer to [16]. 

Definition 2.1 (Stochastically and dynamically coloured Petri net.) An SDCPN is a collection of ele- 
ments ST, srf, .J/, y, J, "V, W, c S, 2, together with an SDCPN execution prescription 
which makes use of a sequence {Uf, i = 0, 1, . . .} of independent uniform U [0, 1] random variables, of 
independent sequences of mutually independent standard Brownian motions {B' t P ; i= 1,2,...} of appro- 
priate dimensions, one sequence for each place P, and of five rules R0—R4 that solve enabling conflicts. 

2.1 SDCPN elements 

The SDCPN elements (@>, ST, srf , jV, ,9", J, f, W, , 9, are defined as follows: 

• £P is a finite set of places. 

• ^ is a finite set of transitions which consists of 1) a set ^ of guard transitions, 2) a set ^ of 
delay transitions and 3) a set ^ of immediate transitions. 

• s$ is a finite set of arcs which consists of 1) a set s^o of ordinary arcs, 2) a set s^e of enabling arcs 
and 3) a set s/j of inhibitor arcs. 

• jY : stf — )><^x^U^x^isa node function which maps each arc A € srf to a pair of ordered 
nodes JV{A), where a node is a place or a transition. 

• C {M ,^ 1 ,R 2 , . . .} is a finite set of colour types, with M° = 0. 

• ^ : — > y is a colour type function which maps each place P G 2? to a specific colour type. 
Each token in P is to have a colour in ^{P). If ^{P) = K° then a token in P has no colour. 

• is a probability measure, which defines the initial marking of the net: for each place it defines 
a number > of tokens initially in it and it defines their initial colours. 

• y = {y P ;P e ^^{P) / M } is a set of token colour functions. For each place P G 3 s for 
which C €(P) ^ R°, it contains a function f P : ^(P) -)■ ^(P) that defines the drift coefficient of a 
differential equation for the colour of a token in place P. 
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• W = {Wp;P G ^ ^€(P) / M } is a set of token colour matrix functions. For each place P G 3? 
for which ^(P) ^ R°, it contains a measurable mapping ^> : <if(P) -> ]R"( p ) x/l (^) that defines 
the diffusion coefficient of a stochastic differential equation for the colour of a token in place P, 
where h : & ->• N and : ^ -)■ N is such that <^(P) = M"^'. It is assumed that #/> and "Vp satisfy 
conditions that ensure a probabilistically unique solution of each stochastic differential equation. 

• ^ = {&t',T G E?c\ is a set of transition guards. For each T G 5^;, it contains a transition guard 

which is an open Euclidean subset with boundary d'Sj. 

• *3> = {&t',T G £?d} is a set of transition delay rates. For each T G J^h, it contains a locally 
integrable transition delay rate 3>t- 

• & = {J^r G ^} is a set of firing measures. For each T G 2? , it contains a firing measure J^r, 
which generates the number and colours of the tokens produced when transition T fires, given the 
value of the vector that collects all input tokens: For each output arc, zero or one token is produced. 
For each fixed H, ^j{H\ •) is measurable. For any c, J^V(-;c) is a probability measure. 

For the places, transitions and arcs, the graphical notation is as in Figure [2| 



Q Place [g] Guard transition ► Ordinary arc 



[p] Delay transition • Enabling arc 

|~I~| Immediate transition ° Inhibitor arc 



Figure 2: Graphical notation for places, transitions and arcs in an SDCPN 



2.2 SDCPN execution 

The execution of an SDCPN provides a series of increasing stopping times, {%(, i = 0, 1, . . .}, To = 0, with 
for t G (TLT/t+i) a fixed number of tokens per place and per token a colour which is the solution of a 
stochastic differential equation. 

Initiation. The probability measure <0 characterises an initial marking at To, i.e. it gives each place 
P G zero or more tokens and gives each token in P a colour in ^(P), i.e. a Euclidean- valued vector. 

Token colour evolution. For each token in each place P for which 'to'(P) ^ M°: if the colour of this 
token is equal to Cq at time t = To, and if this token is still in this place at time t > To, then the colour 
Cf of this token equals the probabilistically unique solution of the stochastic differential equation dCf = 
Y P {Cf)dt + Wp{Cf)dB\' P with initial condition C£ = C%, and with {Bl' P } an h(P) -dimensional standard 
Brownian motion. Each token in a place for which ^(P) = M° remains without colour. 

Transition enabling. A transition T is pre-enabled if it has at least one token per incoming ordinary 
and enabling arc in each of its input places and has no token in places to which it is connected by an 
inhibitor arc. For each transition T that is pre-enabled at To, consider one token per ordinary and enabling 
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arc in its input places and write Cj , t > To, as the column vector containing the colours of these tokens; 
Cj evolves through time according to its corresponding token colour functions. If this vector is not 
unique (i.e., if one input place contains several tokens per arc), all possible such vectors are executed in 
parallel. A transition T is enabled if it is pre-enabled and a second requirement holds true. For T G Sfi, 
the second requirement automatically holds true at the time of pre-enabling. For T G 2?g, the second 
requirement holds true when Cj G d'Sj. For T G £?d, the second requirement holds true at t = To + of , 
where of is generated from a probability distribution function Dj(t — To) = 1 — exp(— 3)j{C^)ds). 
A Uniform random variable Uj is used to determine this of . In the case of competing enablings, the 
following rules apply: 

RO The firing of an immediate transition has priority over the firing of a guard or a delay transition. 

Rl If one transition becomes enabled by two or more sets of input tokens at exactly the same time, 
and the firing of any one set will not disable one or more other sets, then it will fire these sets of 
tokens independently, at the same time. 

R2 If one transition becomes enabled by two or more sets of input tokens at exactly the same time, 
and the firing of any one set disables one or more other sets, then the set that is fired is selected 
randomly, with the same probability for each set. 

R3 If two or more transitions become enabled at exactly the same time and the firing of any one 
transition will not disable the other transitions, then they will fire at the same time. 

R4 If two or more transitions become enabled at exactly the same time and the firing of any one 
transition disables some other transitions, then each combination of transitions that can fire inde- 
pendently without leaving enabled transitions gets the same probability of firing. 

Transition firing. If T is enabled, suppose this occurs at time Ti and in a particular vector of token 
colours C T Zi , it removes one token per ordinary input arc corresponding with C T Xx from each of its input 
places (i.e. tokens are not removed along enabling arcs). Next, T produces zero or one token along each 
output arc: If (e^,a^) is a random hybrid vector generated from probability measure ^r(-;C^) (by 
making use of a Uniform random variable [/,■), then vector e£ is a vector of zeros and ones, where the 
ith vector element corresponds with the ith outgoing arc of transition T. An output place gets a token iff 
it is connected to an arc that corresponds with a vector element 1. Moreover, a\ x specifies the colours of 
the produced tokens. 

Execution from first transition firing onwards. At t = Ti , zero or more transitions are pre-enabled (if 
this number is zero, no transitions will fire anymore). If these include immediate transitions, then these 
are fired without delay, but with use of rules R0-R4. If after this, still immediate transitions are enabled, 
then these are also fired, and so forth, until no more immediate transitions are enabled. Next, the SDCPN 
is executed in the same way as described above for the situation from To onwards. 

2.3 SDCPN stochastic process 

The marking of the SDCPN is given by the numbers of tokens in the places and the associated colour val- 
ues of these tokens and can be mapped to a probabilistically unique SDCPN stochastic process {M t ,C t } 
as follows: For any t > To, let a token distribution be characterised by the vector M' t = (M[ v . . . ,M'^ ( ), 
where M' it G N denotes the number of tokens in place Pi at time t and 1, . . . , \&\ refers to a unique order- 
ing of places adopted for SDCPN. At times t G (Tt_i , T&) when no transition fires, the token distribution 
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is unique and we define M, = M' t . The associated colours of these tokens are gathered in a column vector 
Q which first contains all colours of tokens in place Pi, next (i.e. below it) all colours of tokens in place 
Pi, etc, until place P\m. If at time t = one or more transitions fire, then the SDCPN discrete process 
state at time T# is defined by M %1 = the token distribution that occurs after all transitions that fire at time 
Tfc have been fired. The associated colours of these tokens are gathered in a column vector C Xk in the 
same way as described above. This construction ensures that the process {M t ,C t } has limits from the left 
and is continuous from the right, i.e., it satisfies the cadlag property. 

3 Air traffic example and its SDCPN model 

To illustrate the advantages of SDCPN when modelling a complex system, consider a simplified model of 
the evolution of an aircraft in one sector of airspace. The deviation of this aircraft from its intended path 
is affected by its engine system and its navigation system. Each of these aircraft systems can be in either 
Working (functioning properly) or Not working (operating in some failure mode). Both systems switch 
between these modes independently and with exponentially distributed sojourn times, with finite rates 
c>3 (engine repaired), c>4 (engine fails), c>5 (navigation repaired) and 56 (navigation fails), respectively. If 
both systems are Working, the aircraft evolves in Nominal mode and the position Y t and velocity S t of 
the aircraft are determined by dX t = ^(X^dt + W\dW t , where X, = (Y t ,S t )'. If either one, or both, of 
the systems is Not working, the aircraft evolves in Non-nominal mode and the position and velocity of 
the aircraft are determined by dX t = ^(X t )dt + WidW t . The factors W x and W 2 are determined by wind 
fluctuations. Initially, the aircraft has position Fo and velocity So, while both its systems are Working. 
The evaluation of this process may be stopped when the aircraft has Landed, i.e. its vertical position and 
velocity are equal to zero. 

An SDCPN graph for this example is developed in two stages. In the first stage, the agents of 
the operation are modelled separately, by one local SDCPN each, see Fig. [3^. In the next stage, the 
interactions between the agents are modelled, thus connecting the local SDCPN, Fig. [3j). 




3a: Local Petri nets 3b: Composed Petri net 



Figure 3: SDCPN graph for the aircraft evolution example 
Fig. [3]} shows the SDCPN graph for this example, where, 
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• Pi denotes aircraft evolution Nominal, i.e. evolution is according to Y\ and W\. 

• Pi denotes aircraft evolution h 'on-nominal, i.e. evolution is according to Y 2 and W%. 

• P3 and P4 denote engine system Not working and Working, respectively. 

• P5 and P(, denote navigation system Not working and Working, respectively. 

• Pj denotes the aircraft has landed. 

• T\ a and T\b denote a transition of aircraft evolution from Nominal to Non-nominal, due to engine 
system or navigation system Not working, respectively. 

• T2 denotes a transition of aircraft evolution from Non-nominal to Nominal, due to engine system 
and navigation system both Working again. 

• 73 through 76 denote transitions between Working and Not working of the engine and navigation 
systems. 

• Tj and 7g denote transitions of the aircraft landing. 

The graph in Fig.[5]3 completely defines SDCPN elements 2? ', srf and Jf , where = {Ji, T%}, 
Efj) = {T?,,T4, T5, T&) and 3?i = {T\ a , Tib, Ti}- The other SDCPN elements are specified below: 

y-. Two colour types are defined; S* = {R°,R 6 }. 

<Jf: <g(Pi) = ^(P 2 ) = tf(Pi) = M 6 , i.e. tokens in P\, P 2 and P 7 have colours in M 6 ; the colour com- 
ponents model the 3-dimensional position and 3-dimensional velocity of the aircraft. ^(Pj) = 
<jf(p A ) = <T(P 5 ) = <g{P 6 ) = M° = 0. 

J: Place Pi initially has a token with colour X = (Y ,S )', with Y Q G M 2 x (0,°°) and S G M 3 \ 
Col{0,0,0}. Places P4 and P& initially each have a token without colour. 

Y, W: The token colour functions for places P\, P 2 and P? are determined by {Y X ,W X ), {y 2 ,W 2 ), 
and (y 7 ,W 7 ), respectively, where ("^7,^) = (0,0). For places P3 - P& there is no token colour 
function. 

<£: Transitions T 7 and 7g have a guard defined by <g Tl = = M 2 x (0,~) xR 2 x (0,°°). 

@: The jump rates for transitions T3, T4, T5 and T(, are ^r 3 (0 = f^r 4 (0 = ^4. @t 5 (-) = 85 and 
%(-) = 5 6 - 

JF: Each transition has a unique output place, to which it fires a token with a colour (if applicable) 
equal to the colour of the token removed. 



4 From SDCPN to GSHS 

Following [7], this section first presents a definition of general stochastic hybrid system (GSHS) and its 
execution. In [ 15 ] it has been proven that under a few conditions, SDCPN and GSHS are bisimilar. In 



Subsection 4.2 this is illustrated by showing how the SDCPN example of the previous section can be 



mapped to a bisimilar GSHS. 
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4.1 GSHS definition 

Definition 4.1 (General stochastic hybrid system) A GSHS is an automaton (K, d, 9£ , f, g, Init, X, Q), 

where 

• K is a countable set. 

• d : K — > N maps each 6 G K to a natural number. 

• 8£ : K — > {Eg ; B G K} mapi eac/z 6 £ K. to an open subset Eg ofW*^\ With this, the hybrid state 
space is given by E = {{6} x Eg;d G K}. 

• /:£-> {lH e ); G K} jj a vector field. 

• g:E^ {R d ^ xh ; 6 G K} w a matrix field, with hen. 

• Init: 88(E) —> [0, 1] w an initial probability measure, with 88(E) the Borel o-algebra on E. 

• X : E M + jj a jump rate function. 

• 2 : ^(E) x (£ U dis) — >■ [0, 1] is a GSHS transition measure, where dE = {{d} x dEg;6 G K} is 
the boundary ofE, in which dEg is the boundary of Eg. 

Definition 4.2 (GSHS execution) A stochastic process {6 t ,X t } is called a GSHS execution if there 
exists a sequence of stopping times = To < Ti < T2 • • • such that for each k G N: 

• (6q,Xq) is an E-valued random variable extracted according to probability measure Init. 

• For t G [lft,lft+i), 8 t = Q Zk andX t = Xf, where for t > T#, Xf is a solution of the stochastic differ- 

g 

ential equation dXf = f(6 Tk ,Xl l )dt + g(B Xk ,X^)dB t rk with initial condition X\ k = X Xk , and where 
{Bf } is h-dimensional standard Brownian motion for each 6 G K. 

• 1ft+l = 1ft + Oifc, where Ok is chosen according to a survivor function given by F(t) = 
l( f<T *)exp(— Jo X(6,X*)ds). Here, T* = inf{? > T# | X t G dEg^} and 1 indicator function. 

• r/jg probability distribution of (B Zk+l ,X Zk+l ), i.e. the hybrid state right after the jump, is governed 
bythelawQ(-;(d Tk ,X Tk+l _)). 

show that under assumptions G1-G4 below, a GSHS execution is a strong Markov Process and 
has the cadlag property (right continuous with left hand limits). 

Gl f(6,-) and g(6,-) are Lipschitz continuous and bounded. This yields that for each initial state 
(6,x) at initial time X there exists a pathwise unique solution X t to dX t = f(6,X t )dt+g(6,X t )dB t , 
where {B t } is /j-dimensional standard Brownian motion. 

G2 X : E — > M + is a measurable function such that for all E, G E, there is e(£) > such that t — > 
X(d t ,X t ) is integrable on [0,e(§)). 

G3 For each fixed A G 88(E), the map £ — >• <2(A;^) is measurable and for any (d,x) G EUdE, 
Q(-\ 6,x) is a probability measure. 

G4 If A 7 , = Eft then it is assumed that for every starting point (0,x) and for all t G M + , EA^ < °°. 
This means, there will be a finite number of jumps in finite time. 
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4.2 A bisimilar GSHS for the example SDCPN 

Next we transform the SDCPN example model of Section [3] into a bisimilar GSHS. The first step is to 
construct the state space K for the GSHS discrete process {d t }. This is done by identifying the SDCPN 
reachability graph. Nodes in the reachability graph provide the number of tokens in each of the SDCPN 
places. Arrows connect these nodes as they represent transitions firing. The SDCPN of Fig. [3}} has seven 
places hence the reachability graph for this example has elements that are vectors of length 7. These 
nodes, excluding the nodes that enable immediate transitions, form the GSHS discrete state space. 



Vi =(1,0,0,1,0,1,0) 



-r 7 - 



(0,0,0,1,0,1,1)= v 5 




(i,o,i, 0,0,1, o)(o,i, 0,1, 0,1, o)(i, 0,0,1, 1,0,0) I 5 ? 6 \ 

A J \ J 

Tia T 3 T 5 Tib V 6 =(0,0,0,1,1,0,1) (0,0,1,0,0,1,1)= V 7 

\ / \ / ^ir 

V 2 =(0,1,1,0,0,1,0) (0,1,0,1,1,0,0)= v 3 

SI 





Figure 4: Reachability graph for the SDCPN of Fig. 3b. The nodes in bold type face correspond with the 
elements of the GSHS discrete state space K. 

The reachability graph is shown in Fig. |4} with nodes that form the GSHS discrete state space in Bold 
typeface, Le.K = {V h ...,V s }, with Vi = (1,0,0,1,0,1, 0),V 2 = (0,1,1,0,0,1, 0),V 3 = (0,1,1,0,1,0,0), 
V 4 = (0, 1,0, 1, 1,0,0), V 5 = (0,0,0, 1,0, 1, 1), V 6 = (0,0, 1,0,0, 1, 1), V 7 = (0,0, 1,0,1,0, 1), V & = (0,0,0, 
1, 1,0, 1). Since initially there is a token in places P\, P A and P^, the GSHS initial mode equals do = 
V\ = (1,0,0, 1,0, 1,0). The GSHS initial continuous state value equals the vector containing the initial 
colours of all initial tokens. Since the initial colour of the token in Place Pi equals Xq, and the tokens 
in places P4 and P& have no colour, the GSHS initial continuous state value equals Col{Xo,0,0} = Xq. 
The GSHS drift coefficient / is given by f(0, •) = Yi{-) for 6 = Vi, f(0,-) = %,{■) for d G {V 2 , V 3 , V A ], 
and f(6,-) = otherwise. For the diffusion coefficient, g(6, •) = #1 for 6 = Vi, g(6, •) = #2 for 6 6 
{V2, V3, V4}, and g(8, •) = otherwise. The hybrid state space is given by E = {{6} x Eq;6 £ M}, where 
for 6 G {Vi,V 2 ,V 3 ,V 4 }: E =R 2 x (0,°°) xR 2 x (0,oo) and for 6 G {V 5 , V 6 , V 7 , V & }: E e = R 6 . Always 
two delay transitions are pre-enabled: either T 3 or T4 and either T5 or T$. This yields A (Vi , •) = A (V5 , •) = 
S 4 + 56, X(V 2 , •) = A(V 6 , •) = 5 3 + 5 6 , X(V 3 , •) = A(7 7 , •) = 5 3 + 5 5 , X(V A , ■) =X{V % ,-) = S 4 + 85. For the 
determination of GSHS transition measure Q, we make use of the reachability graph, the sets <S and 
& and the rules R0-R4. In Table [TJ Q(6' ,x';G,x) = p denotes that if (0,x) is the value of the GSHS 
state before the hybrid jump, then, with probability p, (8' ,x') is the value of the GSHS state immediately 
after the jump. 

With this, the SDCPN of the aircraft evolution example is uniquely mapped to an GSHS. It can be 
shown that the SDCPN execution and the execution of the resulting GSHS are probabilistically equiva- 
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Table 1: Example GSHS transition measure for size of jump 



For x £ dEy l 


g(V 2 ,*;Vi,*) 


_ ^4 


Q(V 4 ,x;V u x) 


_ * 


For x G dEy l 


Q(V 5 ,x;V u x) 


= 1 






For x £ dEy 2 


Q(V 3 ,x;V 2 ,x) 


_ & 


Q(V u x;V 2 ,x) 


_ % 

^3+56 


For x G dEy 2 


Q(V 6 ,x;V 2 ,x) 


= 1 






For x ^ dEy 3 


Q(V 4 ,x;V 3 ,x) 


_ Si 
83+85' 


Q(V 2 ,x;V 3 ,x) 


_ 85 
83+85 


For x G d£V, 


QiV^x-V^x) 


= 1 






For x ^ d£V 4 


Q(V 3 ,x;V 4 ,x) 


— °4 

~ S4+85' 


Q(V u x;V 4 ,x) 


°5 

~ <5 4 +S 5 


For x G d£V 4 


Q(V & ,x;V 4 ,x) 


= 1 






For all x: 


Q(V 6 ,x,V s ,x) 


_ 8 4 
5 4 +5 6 ' 


Q(V 8 ,x;V 5 ,x) 


_ 4 

5 4 +5 6 


For all x: 


Q(V 7 ,x;V 6 ,x) 


_ 8 b 


Q(V 5 ,x;V 6 ,x) 


_ Ss 

83+8 6 


For all x: 


Q(V & ,x;V 7 ,x) 


_ % 

83+85' 


Q(V 6 ,x;V 7 ,x) 


_ * 
83+85 


For all x: 


Q(V 7 ,x;Vz,x) 


_ 5 4 
~~ <5 4 +S 5 > 


Q(V 5 ,x;Vz,x) 


5 4 +5 5 



lent, i.e. the SDCPN and the GSHS are bisimilar. Thanks to this bisimilarity we can now use the automata 
framework to analyse the GSHP that is defined by the SDCPN model for the example. 



5 From SDCPN to HSDE 

Following [1] and |2], this section first presents a definition of hybrid stochastic differential equation 
(HSDE) and gives conditions under which the HSDE has a pathwise unique solution. This pathwise 
unique solution is referred to as HSDE solution process or GSHP. The basic advantage of using HSDE 
in defining a GSHP over using GSHS is that with the HSDE approach the spontaneous jump mechanism 
is explicitly built on an underlying stochastic basis, whereas in GSHS the execution itself imposes an 
underlying stochastic basis. In [16] it has been proven that under a few conditions, SDCPN and HSDE 



are bisimilar. In Subsection 5.2 this is illustrated by showing how the SDCPN example of the previous 



section can be mapped to a bisimilar HSDE. 



5.1 HSDE definition 

For the HSDE setting we start with a complete stochastic basis (Q,3,F,P,T), in which a complete 
probability space (0, 3, P) is equipped with a right-continuous filtration F = {3?} on the positive time 
line T = M + . This stochastic basis is endowed with a probability measure He ,x for the initial state, 
an independent /z-dimensional standard Wiener process {W t } and an independent homogeneous Poisson 
random measure pp(dt,dz) on T x 



Definition 5.1 (Hybrid stochastic differential equation) An HSDE on stochastic basis (£2, 3 , F, P, T), is 

defined as a set of equations in which a collection of elements (M, E, f, g, jUe 0) x > A, p, fX, pp, 

{Wt}) appear. 

The elements (M, E, f, g, l~Le ,x Q , A, p, /I, pp, {W t }) are defined as follows: 
• M = {#1,. . . , $n} is a finite set, N <N <°°. 
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• E = {{6} x Eq;6 £ M} is the hybrid state space, where for each 6 6 M, Eg is an open subset of 
R" with boundary dE e . The boundary of E is BE = {{6} x d£ e ; B £ M}. 

• / : M x M" — >• M" is a measurable mapping. 

• ?:MxlR"-> M" x/l is a measurable mapping. 

• Meo-^o : ^ x ^(^) — > [0, 1] is a probability measure for the initial random variables 6q, Xq, which 
are defined on the stochastic basis; jUg^ is assumed to be invertible. 

• A : M x W 1 — > [0,o°) is a measurable mapping. 

• i|/:MxMxM"xl rf ->i"isa measurable mapping such that x + yf( $ , , x, z) G E$ f or all x G E e , 
zeR d , and#,0 G M. 

• p : M x M x R n -)■ [0, °°) is a measurable mapping such that P ($i> = 1 for all 6 G M.,x G 
W. 

• : £2 x M rf — > [0, 1] is a probability measure which is assumed to be invertible. 

• pp : Q. x T x R d+l — y {0, 1} is a homogeneous Poisson random measure on the stochastic basis, 
independent of (6q,Xq). The intensity measure of pp(dt,dz) equals dt ■ jUi(<fei) • jll(<fe), where 
z = Col{zi,z} and is the Lebesgue measure. 

• ff : n x T -)> i' 1 such that {W t } is an /j-dimensional standard Wiener process on the stochastic 
basis, and independent of (60, Xo) and pp. 

Using these elements, the HSDE process {6*,X*} is defined as follows: 

e; = e t k for an t g [4, 4 +l ),k = o, 1 ,2, . . . (i) 

X* = X* for all t G [r b k , r b k+1 ),k = 0,1,2,... (2) 

Hence {d*,X*} consists of a concatenation of processes {O^Xf} which are denned by (g-g below. If 
the system ([l])-([8]) has a solution in probabilistic sense, then the process {0 f *,X r *} is referred to as HSDE 
solution process or GSHP. 

^ = £(^-^) /J p(A,(I,-_ 1 (^,^),I ! -(^_,^)]xR rf ) (3) 
(=i 

dx{ = f(e*X)dt+ g (e*,xf)dw t + f y{e?, et,xi,z) PP (dt, (o,A(q*_,x* )] x <&) (4) 

with 0q = 80, X$ = Xo and with £o through measurable mappings satisfying, for 6 G M, ■dj G M, 
X£W: y( * r) _S A(6,x)Z j=lP (1>j,e,x) if/>0 

In addition, for k = 0, 1 , 2, . . ., with Tq = 0: 

Tf +1 ^inf{ ? >T, fo |(^,^)G^} (6) 



F{d k + l = ^,X k + l €A\0K _ = Q,X k %b _=x} = Q({$} xA;B,x) (7) 
T k+\ z k+i T t+i 

for A G ^(M"), where 2 is given by 

Q{{$}xA;d,x) = p{$,d,x) [ \ A {x+y($,d,x,z))pi{dz) 



(8) 



Next, the following proposition can be shown to hold true [16]: 
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Proposition 5.1 Let conditions H1-H8 below hold true. Let (9q (G)),Xq (o)) = (6o,Xo) G E for all ft). 
Then for every initial condition (6o,Xq), has a pathwise unique solution {6*,X*} which is cddldg 

and adapted and is a semi-martingale assuming values in the hybrid state space E. 

HI For all d G M there exists a constant K(d) such that for all x G W, |/(e,x)| 2 + ||g(0,x))|| 2 < 
K(d)(\ + \x\ 2 ), where \a\ 2 = YMf and \\ b \\ 2 = Id,jQ>ij) 2 . 

H2 For all r G N and for all 6 G M there exists a constant L r (6) such that for all x and y in the ball 

B r = {z G R" | |z| < r+ 1}, \f{9,x) -f(d,y)\ 2 + \\g(e,x) -g(d,y)\\ 2 < L r (6)\x-y\ 2 . 

H3 For each 6 G M, the mapping A(0, •) : R" — > [0,°°) is continuous and bounded, with upper bound a 
constant C\. 

H4 For all (0,#) G M 2 , the mapping p(#,0,-) : W ->• [0,°°) is continuous. 
H5 For all r G N there exists a constant M r {Q) such that 



H6 |v(0,0, x,z)\ =0or > 1 for all 6 G M, x G M", z G W l 

H7 {(6*,X*)} hits the boundary dE a finite number of times on any finite time interval 
H8 | — > 1 for i ytz f with | • | a suitable metric well defined on M. 

5.2 A bisimilar HSDE for the example SDCPN 

Next we transform the SDCPN example model of Section[3]into a bisimilar HSDE. This mapping follows 
much the same procedure as for SDCPN to GSHS, except that the discrete state space is now referred 
to as M (rather than K) and the Markov jump rate is now referred to as A (rather than X). The main 
additional difference is that the HSDE elements do not include a transition measure Q to define the size of 
jump, but include functions i/a, p and ii instead. The mapping of SDCPN to HSDE uses the construction 
of transition measure Q as an intermediate step, however. For the particular example SDCPN in this 
paper, these functions can be determined from Q as follows: Since the continuous valued process jumps 
to the same value with probability 1, we find that i/f(V,W,x,z) = for all V, W, x, z. Moreover, 
p(V l ,V J \x) = Pq{V ,x,V j ,x) and ii may be any given invertible probability measure. 

With this, the SDCPN of the aircraft evolution example is uniquely mapped to an HSDE. If in addi- 
tion, we want to make use of the HSDE properties of Proposition 5.1, i.e. the resulting HSDE solution 
process being adapted and a semi-martingale, we need to make sure that HSDE conditions H1-H8 are 
satisfied. It is shown below that they are, under the following sufficient condition Dl for the example 



Dl For P G {Pi,P 2 }, there exist K x p , U p , Kg and L w p such that for all c,a G ^(P), 
\Mc)\ 2 <*?(1 + M 2 ) and \%[c) - %(a)\ 2 < V P \c-a\ 2 and 
Wp{c)\\ 2 < K$(l + \c\ 2 ) and \\W P {c) - W P {a)\\ 2 < D*\c-a\ 2 . 

We verify that under condition Dl, HSDE conditions H1-H8 hold true in this example. 

HI: From the construction of / and g above we have for 6 = V\: \f(6,x)\ 2 + \\g(6,x)\\ 2 = |^i(x)| 2 + 
H^iWH 2 <K P \{\ + \x\ 2 )+K P \(l + \x\ 2 ) =^(0)(l + |x| 2 ), with tf(0) = {K v Pi +K P \). For 6 = 
V 2 , V 3 , V 4 the verification is with replacing f u W\ by %, W 2 . 




SDCPN. 
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H2: From the construction of / and g above we have for 6 = V\\ \f(d,x) — f(6,y)\ 2 + ||g(0,jc) — 
g(d,y)\\ 2 = \y x (x)-%{y)\ 2 + \\W x (x) -#i(y)|| 2 < L\\x-y\ 2 +L\ \x-y\ 2 = L r (6)\x-y\ 2 with 
L r (G) = U Pi +L W P{ . For B = V 2 , V 3 , V 4 replace %, W x by %, W 2 . 

H3: Since 53-56 are constant, for all 8, A(0,-) is bounded and continuous, with upper bound C\ = 
max{<5 4 + <5 6 , <5 3 + <5 6 , 83 + 85,84 + 8 5 }. 

H4: Since for all 6, #, Pq($, -\B,x) is constant, we find p(#, 6,x) = Pq($,x,6 ,x) is continuous. 

H5 and H6: These are satisfied due to y/-(V, V j ,x,z) = for all V\ V j , x, z. 

H7: This condition holds due to 8t,-8(, being finite and the fact that in this SDCPN example, there is no 
firing sequence of more than one guard transition. 

H8: This condition holds for all Vi, . . . , with metric \a\ 2 = Ei( fl i) 2 - 

Thanks to this bisimilarity mapping we can now use HSDE tools to analyse the GSHP that is defined by 
the execution of the SDCPN model for the example. 

6 Conclusions 

The aim of this paper was to explain bisimilarity relations between SDCPN (stochastically and dynami- 
cally coloured Petri net), GSHS (general stochastic hybrid system) and HSDE (hybrid stochastic differ- 
ential equation), which means that the strengths of one stochastic model formalism can be used by both 
of the other stochastic model formalisms. More specifically, these bisimilarity relations make it possible 
to combine the formal verification power of automata with the analysis power of stochastic differential 
equations and the compositional specification power of Petri nets. 

We started in Section [2] by defining SDCPN and the resulting SDCPN stochastic process, which 
is referred to as a GSHP (general stochastic hybrid process). In Section [3] we presented a simple but 
illustrative SDCPN example model. In Section [4] we studied GSHP as an execution of a GSHS and 
illustrated by using the example of Section [3] that SDCPN and GSHS are bisimilar. Next, in Section [5] 
we studied GSHP as a stochastic process solution of HSDE and showed with an illustrative example that 
SDCPN and HSDE are bisimilar. 

The bisimilarities between SDCPN, GSHS and HSDE models for the example considered mean that 
the resulting example model inherits the strengths of all three formal stochastic modelling formalisms. 
This has been depicted in Fig. [T] in the introduction. Examples of GSHP properties are convergence in 
discretisation, existence of limits, existence of event probabilities, strong Markov properties, reachabil- 
ity analysis. Examples of GSHS features are their connection to formal methods in automata theory and 
optimal control theory. Examples of HSDE features are stochastic analysis tools for semi-martingales. 
Examples of SDCPN features are natural expression of causal dependencies, concurrency and synchro- 
nisation mechanism, hierarchical and modular construction, and graphical representation. These com- 
plementary advantages of SDCPN, GSHS, HSDE and GSHP perspectives tend to increase with the com- 
plexity of the system considered. 

An illustrative large scale application of bisimularity relations between SDCPN, HSDE and stochas- 
tic hybrid automata has been developed in air traffic management. Currently pilots depend of air traffic 
controllers in solving potential conflicts between their flight trajectories. This places a huge requirement 
on the tasks of an air traffic controller. Imagine a similar kind of approach for road traffic; then each car 
driver would be blind and depends of instructions that some road traffic controller is communicating with 
the car drivers. How many cars do you think can be managed by one road traffic controller? The number 
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of aircraft that one air traffic controller can handle ranges between 10 and 20, depending of the complex- 
ity of the traffic pattern. Over a decade ago, it had been suggested by ll22l that this limitation of the air 
traffic controller can be solved by moving the responsibility of conflict resolution from the air traffic con- 
troller to the pilots. Since then this airborne self separation idea has received a lot of research attention. 
Nevertheless, it still is unknown how much more air traffic can safely be accommodated under a well de- 
signed airborne self separation way of working. In order to add to the solution of this debate, a series of 
large European studies towards solving this question have been started under the name HYB RIDGE ifTSl 
and iFly |[T9l respectively. The way of working is to first develop a well defined SDCPN model of the 
airborne self separation concept of operation to be analysed, e.g. ifTTI . Subsequently this SDCPN model 
is further analysed using a bisimilar HSDE and hybrid automation formal model representation SO, in 
which powerful stochastic analysis theory is exploited for the speeding up of Monte Carlo simulations. 
Using this approach, [4] have shown that the first generation of airborne self separation concept designs 
falls short in safely accommodating higher air traffic demand than conventional ATM can. The feedback 
of this finding to advanced air traffic concept designers triggered the development of more advanced 
airborne self separation concept of operation, e.g. see lPT9l . 
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